Weekly podcast: Bank of England, the OPM, Patch Tuesday and Japanese minister

This week, we discuss a Bank of England cyber resilience exercise, the latest cyber security news from the US Office of Personnel Management, the highlights of this month’s Patch Tuesday, and a surprising admission by a Japanese cyber security minister.

Hello and welcome to the IT Governance podcast for Friday, 16 November. Here are this week’s stories.

The Bank of England, in partnership with the Treasury and the FCA (Financial Conduct Authority), has staged a one-day exercise to test the financial sector’s resilience to cyber attacks.

According to the BBC, some 40 firms, including leading banks, took part in last Friday’s war-gaming exercise to demonstrate that they are “able to meet certain minimum recovery standards after a cyber-attack”.

The bank said the exercise “forms a vital part of the sector wide biennial process that seeks to ensure the industry is prepared for – and can respond effectively to – any major disruption stemming from a cyber Incident, protecting the financial system on which the public relies. The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole”.

Regular listeners will remember that the Bank, the FCA and the PRA (Prudential Regulation Authority) launched a consultation on an approach to improve operational resilience in the banking and financial market infrastructures sectors in July. The consultation period ended last month and we await the results.

Cyber resilience is, of course, essential for all organisations, not just those in the financial sector. In an age in which traditional security measures are proving increasingly inadequate at mitigating an array of attacks, prudent organisations are increasingly preparing for successful attacks, and developing cyber resilience strategies to reduce their impact.

According to a new report from the World Economic Forum, Regional Risks for Doing Business 2018, cyber attacks are now the biggest threat to business across Europe, North America, and East Asia and the Pacific.

The report, which is based on responses from more than 12,500 executives, observes that this highlights “the growing reliance of global commerce on digital networks that are the target of increasingly sophisticated and prolific attacks”.

To find out more about how to bolster your defences and put plans in place to take appropriate action after an incident, visit itgovernance.co.uk/cyber-resilience, or download our free paper on implementing cyber resilience.

Do you remember the 2015 data breaches at the OPM (the US federal Office of Personnel Management)? The ones that affected the unencrypted personal data of 4.2 million past and present federal employees and the background investigation records of 21.5 million individuals? Yes, them.

After the incidents, the OPM announced a series of measures to strengthen its cyber security, including implementing two-factor authentication for privileged users, restricting remote access for network administrators, deploying anti-malware software, implementing continuous monitoring, installing more firewalls, developing a risk executive function to ensure risk mitigation, and introducing mandatory cyber security awareness training for all staff.

However, according to a report issued by the GAO (Government Accountability Office) this week, the OPM has failed to comply with 28 of the 80 recommendations the GAO made in the aftermath of the debacle.

These include recommendations to reset all passwords, install critical patches, evaluate accounts to ensure privileged access is warranted and assess security controls as part of a programme of continuous monitoring.

Furthermore, the OPM has failed to provide appropriate training for those with “significant security responsibilities”, failed to encrypt passwords and failed to install the latest versions of operating systems.

These are all basic security practices – the sort of technical and organisational measures mandated by laws and standards around the world.

As the GAO says in its summary, until the OPM “implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption”.

The same is true of every organisation that doesn’t take these measures.

Talking of installing updates, it was Patch Tuesday this week. Among November’s 60-odd updates, Microsoft fixed 12 critical vulnerabilities, and one zero-day.

CVE-2018-8589 is an elevation of privilege vulnerability that exists when Windows improperly handles calls to Win32k.sys. It’s already being exploited to “run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights”.

Other highlights are patches for:

  • CVE-2018-8566, a publicly disclosed security feature bypass vulnerability affecting BitLocker, which could be exploited to allow attackers with physical access to target systems to gain access to encrypted data, and
  • CVE-2018-8584, a publicly disclosed elevation of privilege vulnerability affecting ALPC (Advanced Local Procedure Call), which an attacker could exploit to ”run arbitrary code in the security context of the local system” and “then install programs; view, change, or delete data; or create new accounts with full user rights”.

Microsoft has also re-released the Windows 10 October Update (version 1809), which some admins will remember deleted the contents of their ‘My Documents’ folders when it was first released last month – a reminder, then, to test all updates before installing them.

Finally, a Japanese minister surprised parliament this week when he admitted that he’s never used a computer and doesn’t know what a USB drive is. Asked about his computer literacy, 68-year-old Yoshitaka Sakurada told a parliamentary committee meeting on Wednesday: “I’ve been independent since I was 25 and have always directed my staff and secretaries to do that kind of thing. I’ve never used a computer!”

Sakurada is responsible for… overseeing cyber security preparations for the 2020 Olympic Games in Tokyo.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.